NEW GENERAL DATA PROTECTION REGULATION
Saiba o que vai mudar e as regras que deve adotar
On the 25th of May the new General Data Protection Regulation (RGPD) will come into effect. In brief, the new rules focus on five key points:
- It is mandatory to obtain the explicit consent from the data subject for processing personal data;
- Easy access by the data subject to its personal data;
- The right to rectification, to erasure and to be forgotten;
- The right to object, namely to the use of personal data for profiling;
- The right to data portability from one service provider to another
What is personal data?
The GDPR considers personal data all information relating to an identified or identifiable natural person (data subject), identifiable by reference to, e.g., a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In brief, any data that may identify, directly or indirectly, any natural person, may be considered as personal data, as, for example, a name, address, e-mail address, taxpayer number, etc.
What should we consider as "data processing"?
Data processing is understood as any operation or set of operations carried out on personal data, with or without the use of automated means, included in the following points:
Data collecting and recording;
Organizing or structuring;
Adapting or amending.
What should you do?
The first step is to make a diagnosis. Know what data is in the company's possession that can be as diverse as the e-mail addresses entered in a newsletter, the personal data of the employees that the company conveys to tax authorities and Social Security - plus the data of customers, website visitors and so on. It is necessary to minimize the risk to the data subject, who must give explicit authorization in order for the organization to process and save the data. Pre-filled options are no longer possible. The data subject must personally fill it. The data subject must also know the purpose the data is intended for and the company can only use it for that purpose. It must be as easy to withdraw consent as it is to give it.?
Fase de diagnóstico
Ler o regulamento. Identificar os dados que existem na empresa e o tratamento que é feito. Que tipos de dados existem? Para que finalidade? E qual o prazo de conservação? Perceber quais os fluxos de dados existentes. Há fornecedores com acesso aos mesmos?
Read the regulation. Identify the data that exists in the company and the processing being done. What types of data are there? For what purposes? And what is the storage period? Understand the existing data flows. Are there vendors with access to them?
Understand if the company is required to appoint a Data Protection Officer (DPO). If necessary, appoint a DPO and involve him in the preparation process.
Identify the measures to be adopted. Evaluate whether the IT systems need to be replaced. Acquire the necessary systems. Design the implementation plan. Implement new measures and assess whether everything is in compliance.
Training for employees. Ensure continued compliance with the RGPD.
The supervision will be carried out by the Comissão Nacional de Proteção de Dados [the Portuguese Data Protection Authority]. Failure to comply with the rules is punishable with harsh fines, in two tiers:
In least severe cases, the fine may amount to 10 million euros or to 2% of the annual worldwide turnover, whichever is the highest.
In most severe cases, the fine may amount to EUR 20 million or to 4% of the annual worldwide turnover, whichever is the highest.
More info here.